Dutch cybercops tracked a crypto theft to one of the world’s worst botnets
Www.oeisdigitalinvestigator.com:
After years of hacking servers to swindle millions of dollars, the notorious Ebury malware gang had slipped into the shadows by 2021. Suddenly, they reemerged with a bang.
The new evidence surfaced during a police investigation in the Netherlands. A cryptocurrency theft had been reported to the Dutch National High Tech Crime Unit (NHTCU). On the victim’s server, the cybercops found a familiar foe: Ebury.
The discovery revealed a new target for the botnet. Ebury had diversified to stealing Bitcoin wallets and credit card details.
The NHTCU sought assistance from ESET, a Slovakian cybersecurity firm. The request reopened a case that Marc-Etienne Léveillé has investigated for over a decade.
The <3 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
Back in 2014, the ESET researcher had co-authored a white paper on the botnet operations. He called Ebury the “most sophisticated Linux backdoor ever seen” by his team.
Cybercriminals use Ebury as a powerful backdoor and credential stealer. After entering a server, the botnet can also deploy further malware, redirect web visitors to fraudulent ads, and run proxy traffic to send spam. According to US officials, the operation fraudulently generated millions of dollars in revenue.
“It’s very well done and they’ve been able to stay under the radar for so many years,” Léveillé tells TNW.
A year after ESET’s original paper was published, an alleged Ebury operator was arrested in Finland. His name was Maxim Senakh. The Finnish authorities then extradited the Russian citizen to the US.
The 41-year-old eventually pleaded guilty to a reduced set of computer fraud charges. In 2017, he was sentenced to nearly four years in prison.
In a press release, the US Justice Department said Ebury had infected “tens of thousands” of servers across the world. Yet that was just a fraction of the total.
Www.oeisdigitalinvestigator.com: Hello ESET honeypot
While Senakh’s trial progressed, ESET’s researchers ran honeypots to track Ebury’s next moves. They discovered that the botnet was still expanding and receiving updates. But their detective work didn’t stay concealed for long.
“It was getting more and more difficult to make the honeypots undetectable,” Léveillé says. “They had a lot of techniques to see them.”
One honeypot reacted strangely when Ebury was installed. The botnet’s operators then abandoned the server. They also sent a message to their adversaries:”Hello ESET honeypot!”
The Ebury perpetrators detected a honeypot. Credit: ESET
As the case went cold, another one was developing in the Netherlands.
By late 2021, the NHTCU had created another lead for ESET. Working together, the cybercrime unit and cybersecurity firm investigated Ebury’s evolution.
“The botnet had grown,” Léveillé says. “There were new victims and even larger incidents.”
ESET now estimates that Ebury has compromised about 400,000 servers since 2009. In a single incident last year, 70,000 servers from one hosting provider were infected by the malware. As of late 2023, over 100,000 servers from one hosting provider were still compromised.
Some of these servers were used for credit card and cryptocurrency heists.
Www.oeisdigitalinvestigator.com: The botnet comes for Bitcoin
To steal cryptocurrency, Ebury deployedadversary-in-the-middle attacks (AitM), a sophisticated phishing technique used to access login credentials and session information.
By applying AitM, the botnet intercepted network traffic from interesting targets inside data centres. The traffic was then redirected to a server that captured the credentials.
The hackers also leveraged servers that Ebury had previously infected. When these servers are in same network segment as the new target, they provide a platform for spoofing.
Among the lucrative targets were Bitcoin and Ethereum nodes. Once the victim entered their password, Ebury automatically stole cryptocurrency wallets hosted on the server.
Dutch cops unearthed Ebury’s route into cryptocurrency wallets. Credit: ESET
The AitM attacks provided a powerful new method of quickly monetising the botnet.
“Cryptocurrency theft was not something that we’d ever seen them do before,” Léveillé says.
Www.oeisdigitalinvestigator.com: The Dutch investigation continues
The variety of Ebury victims has also grown. They now span universities, small businesses, large enterprises, and cryptocurrency traders. They also include internet service providers, Tor exit nodes, shared hosting providers, and dedicated server providers.
To conceal their crimes, Ebury operators often use stolen identities to rent server infrastructure and conduct their attacks. These techniques have investigators in the wrong directions.
“They’re really good at blurring the attribution,” Léveillé says.
The NHTCU found further evidence of the obfuscation. In a new ESET white paper, the Dutch crimefighters highlighted several anonymisation techniques.
Ebury’s digital footprints often proved to be faked, the NTCU said. The tracks frequently led to (seemingly) innocent people.
Operators also used the monikers and credentials of known cybercriminals to shake investigators off the trail. On one seized backup server, the NHTCU found a full copy of an illicit website with logins harvested by other crooks.
“Hence the Ebury group does not only benefit from the theft of the already stolen login credentials, but is also in a position to use the credentials of the cybercriminals stealing them,” the Dutch police unit said.
“Consequently, they can create a ‘cybercriminal cover’ pointing in other directions than themselves.”
Despite these red herrings, the NHTCU says “several promising digital identities” are being actively pursued. Léveille, meanwhile, is taking another break from his 10-year investigation.
“It’s not closed, but I’m not sure about any individuals behind it,” he says. “That’s still an unknown — for me at least.”
Examine the forefront of digital research in our Latest News & Blog. Study expert analyses, technological advancements, and key industry insights that keep you informed and prepared in the ever-evolving world of digital forensics.
WASHINGTON — The House Ethics Committee said Wednesday it will open an investigation into Rep. Henry Cuellar, a Texas Democrat who was recently indicted in a federal bribery case.
The panel said in a statement that it had unanimously voted to form a subcommittee tasked with investigating Cuellar after the Justice Department this month released an indictment accusing Cuellar and his wife, Imelda, of accepting $598,000 in bribes from foreign entities, including a Mexican bank and an oil and gas company controlled by Azerbaijan.
The subcommittee will have jurisdiction to investigate whether Cuellar “solicited or accepted bribes, gratuities, or improper gifts; acted as a foreign agent; violated federal money laundering laws; misused his official position for private gain; and/or made false statements or omissions on public disclosure statements filed with the House.”
Before the charges were unsealed this month, Cuellar denied any wrongdoing and said he had “proactively sought legal advice” from the panel.
In a statement Wednesday, Cuellar reaffirmed his innocence.
“I respect the work of the House Ethics Committee,” Cuellar said. “As I said on May 3rd, I am innocent of these allegations, and everything I have done in Congress has been to serve the people of South Texas.”
The Ethics Committee in Wednesday’s statement cited House rules that require it to establish an investigative subcommittee or explain its decision not to within 30 days of a member’s being indicted or otherwise charged.
Chairman Michael Guest, R-Miss., and Rep. Glenn Ivey, D-Md., will serve as the chair and ranking member of the new subcommittee.
The federal indictment is poised to make Cuellar’s seat more vulnerable in November. Two years ago he easily defeated his Republican opponent, Cassy Garcia.
Cuellar and his wife are not the first congressional couple to face charges in alleged foreign bribery schemes in the past year. The Justice Department hit Sen. Bob Menendez, D-N.J., and his wife, Nadine Menendez, with 18 criminal charges tied to bribery and corruption. They have pleaded not guilty. Bob Menendez is on trial.
Rebecca Kaplan reported from Washington, D.C., and Zoë Richards from New York.
ProPublica is a nonprofit newsroom that investigates abuses of power. Ticket up to receive our ideal tales as soon as they’re printed.
From the delivery of U.S. investigations into the terrorist assaults of 11th of September, 2001, the question of whether the Saudi executive would possibly presumably well per chance had been eager has hovered over the case.
The FBI, after the most huge criminal probe in its history, concluded that a low-stage Saudi legit who helped the first two hijackers in California met them by likelihood and aided them unwittingly. The CIA said it saw no proof of a increased-stage Saudi role. The bipartisan 9/11 commission adopted these findings. A tiny FBI team continued to dig into the question, turning up knowledge that raised doubts a pair of few of these conclusions.
But now, 23 years after the assaults, unique proof has emerged to counsel extra strongly than ever that no lower than two Saudi officers deliberately assisted the first Qaida hijackers after they arrived within the US in January 2000.
Whether or not the Saudis knew the males had been terrorists remains unclear. However the unique knowledge reveals that each officers worked with Saudi and other non secular figures who had ties to al-Qaida and other extremist groups.
Quite a lot of the proof has been gathered in a prolonged-operating federal lawsuit in opposition to the Saudi executive by survivors of the assaults and kinfolk of of us that died. That lawsuit has reached a serious second, with a settle in Recent York preparing to rule on a Saudi motion to brush off the case.
Already, though, knowledge suggest within the plaintiffs’ case — which entails movies, mobile phone data and other paperwork that had been quiet soon after the assaults however had been never shared with key investigators — argues for a basic reassessment of the Saudi executive’s that you’ll be in a position to be ready to evaluate involvement with the hijackers.
The courtroom data also elevate questions about whether the FBI and CIA, which persistently brushed apart the significance of Saudi links to the hijackers, mishandled or deliberately downplayed proof of the kingdom’s that you’ll be in a position to be ready to evaluate complicity within the assaults that killed 2,977 of us and injured thousands extra.
“Why is this data coming out now?” requested retired FBI agent Daniel Gonzalez, who pursued the Saudi connections for nearly 15 years. “We ought to indulge in had all of this three or four weeks after 9/11.”
Saudi officers indulge in prolonged denied any involvement within the area, emphasizing that they had been at warfare with al-Qaida smartly prior to 2001.
They’ve also leaned on earlier U.S. assessments, especially the one-web page abstract of a joint FBI-CIA document that modified into publicly released by the Bush administration in 2005. That abstract said there modified into no proof that “the Saudi Executive or participants of the Saudi royal household knowingly equipped toughen” for the assaults.
Pages of the document that had been declassified in 2022 are extra serious of the Saudi role, describing huge Saudi funding for Islamic charities linked to al-Qaida and the reluctance of senior Saudi officers to cooperate with U.S. counterterrorism efforts.
The plaintiffs’ myth quiet leaves critical gaps within the account of how two identified al-Qaida operatives, Nawaf al-Hazmi and Khalid al-Mihdhar, refrained from CIA surveillance foreign, flew into Los Angeles below their very indulge in names after which — no topic speaking no English and ostensibly interesting no one — settled in Southern California to begin preparing for the assaults.
Silent, the lawsuit has uncovered layers of contradictions and deceit within the Saudi executive’s portrayal of Omar al-Bayoumi, a heart-aged Saudi graduate pupil in San Diego who modified into the central resolve within the hijackers’ toughen community.
Almost right away after the 9/11 assaults, FBI brokers identified Bayoumi as having helped the 2 young Saudis rent an condominium, location up a bank myth and indulge in other wants. Bayoumi, then 42, modified into arrested on Sept. 21, 2001, in Birmingham, England, where he had moved to continue graduate experiences in exchange. Scotland Yard terrorism investigators wondered him for a week in London as two FBI brokers monitored the classes.
Bayoumi dissembled from the delivery, newly released transcripts of the interrogations expose. He said he barely remembered the 2 Qaida operatives, having met them by likelihood in a halal cafe within the Los Angeles suburb of Culver City, after he stopped on the Saudi Consulate to renew his passport. The proof reveals he in actuality renewed his passport the day prior to the encounter within the cafe, thought to be one of many indications that his meeting with the hijackers modified into planned.
After stress from Saudi diplomats, Bayoumi modified into freed by the British authorities with out being charged. U.S. officers did not try to indulge in him extradited.
Two years later, in Saudi Arabia, Bayoumi sat for interviews with the FBI and the 9/11 commission that had been overseen by Saudi intelligence officers. All every other time, he insisted that he modified into proper being hospitable to the hijackers. He knew nothing of their plans, he said, and modified into in opposition to violent jihad.
Gonzalez and other FBI brokers had been dubious. Even supposing Bayoumi modified into supposedly a pupil, he did nearly no discovering out. He modified into a ways extra active in developing a Saudi-funded mosque in San Diego and spreading money throughout the Muslim neighborhood. (The Saudi executive paid him surreptitiously thru an aviation-services and products company in Houston.)
FBI officers in Washington permitted the Saudi depiction of Bayoumi as an amiable, a piece bumbling executive accountant searching to enhance his expertise, and as a non secular however moderate Muslim — and never a seek for. The lead agent on the FBI team that investigated him, Jacqueline Maguire, told the 9/11 commission that by “all indications,” Bayoumi’s reference to the hijackers had been the outcomes of “a random encounter” on the cafe.
The 9/11 commission permitted that overview. The commission’s investigators smartly-known Bayoumi’s “obliging and gregarious” manner in interviews and called him “an not going candidate for clandestine involvement with Islamist extremists.” The panel stumbled on “no credible proof that he believed in violent extremism or knowingly aided extremist groups.”
But in 2017, the FBI concluded that Bayoumi modified into, in truth, a Saudi seek for — though it kept that discovering secret until 2022, after President Joe Biden ordered companies to declassify extra paperwork from the 9/11 data.
A web page from an demonstrate submitted by the plaintiffs in a prolonged-operating lawsuit in opposition to the Saudi executive over the role it will fair indulge in performed within the 9/11 assaults. The demonstrate contains screenshots from a video by a Saudi legit, Omar al-Bayoumi, who toured Washington, D.C., in 1999.
Credit:
Bought by ProPublica from the U.S. District Court docket of the Southern District of Recent York
Exactly whom within the Saudi executive Bayoumi modified into working for remains unclear. FBI reports dispute him as a “cooptee,” or piece-time agent, of the Saudi intelligence service, however hiss he reported to the kingdom’s noteworthy aged ambassador to Washington, Prince Bandar bin Sultan. (Lawyers for the Saudi executive indulge in continued to repeat Bayoumi’s earlier denials that he ever had “any assignment” for Saudi intelligence.)
One other layer of Bayoumi’s hidden identity has emerged from paperwork, videotapes and other affords that had been seized from his home and placement of enterprise on the time of his arrest in England. The plaintiffs had sought that knowledge from the Justice Division for years however received nearly nothing until the British authorities started sharing their copies of the topic topic in 2023.
Even though Saudi officers recount that Bayoumi merely volunteered at a local mosque, the British proof points to his deeper collaboration with the Ministry of Islamic Affairs. The Saudi royals had established the ministry in 1993 as piece of a governing pact with the noteworthy clergy. In return for political toughen, they gave the clerics effective aid watch over over domestic non secular matters and funded their efforts to unfold their fundamentalist Wahhabi impress of Islam foreign.
From the delivery of the FBI’s 9/11 investigation, brokers pored over a short excerpt of a videotape recorded at a event that Bayoumi hosted for some two dozen Muslim males in February 2000, soon after Hazmi and Mihdhar arrived in San Diego.
It modified into one other twist of fate, Bayoumi claimed, that he held the match within the hijackers’ condominium. The 2 young Saudis had nothing in truth to realize with the gathering, he said, however he wished to retain his partner and other females in his indulge in condominium, sequestered from male guests in line with conservative Muslim custom.
The FBI did not part a elephantine copy of the VHS recording with either its indulge in area brokers or the 9/11 families, who sought it persistently. (An FBI spokesperson declined to touch upon the bureau’s handling of the Bayoumi proof.) However the elephantine recording modified into equipped to the plaintiffs by the British police last December.
The longer version casts Bayoumi’s gathering in a completely different gentle. Even though the nominal guest of honor is a visiting Saudi cleric, the 2 hijackers are in moderation presented to the other guests and are apparently on the heart of the proceedings.
After figuring out a total lot of the event guests for the first time, the plaintiffs’ attorneys had been ready to myth that many went on to play critical roles within the hijackers’ toughen community, helping them location up web and mobile phone service, join English classes and aquire a previous car.
“Bayoumi hand-picked these people due to he knew and assessed that they had been smartly-suited to manufacture the Al Qaeda operatives with crucial sorts of toughen,” the attorneys wrote of the event guests.
One other videotape taken from Bayoumi’s Birmingham house is even extra at odds with the image he conveyed to the FBI and the 9/11 commission. The video follows Bayoumi as he excursions Washington, D.C., with two visiting Saudi clerics early within the summer of 1999.
Lawyers for the Saudi executive called the recording an innocent keepsake — “a vacationer video that entails footage of artwork, flowerbeds, and a squirrel on the White Condo lawn.” However the plaintiffs’ attorneys posit a extra ominous motive, especially as Bayoumi specializes in his necessary area: an huge presentation of the Capitol constructing, which is shown from a sequence of vantage points and in relation to other Washington landmarks.
“We greet you, the esteemed brothers, and we welcome you from Washington,” Bayoumi says on the video. Later, standing prior to the camera, he reports as “Omar al-Bayoumi from Capitol Hill, the Capitol constructing.”
The footage reveals the Capitol from relatively about a angles, noting architectural points, entrances and the movement of safety guards. Bayoumi sprinkles his narration with non secular language and refers to a “belief.”
“Bayoumi’s video footage and his narration must not that of a vacationer,” the plaintiffs contend in a single courtroom myth, citing the evaluation of a aged FBI skilled. The video, they add, “bears the hallmarks of scare planning operations identified by regulations enforcement and counterterrorism investigators in operational movies seized from scare groups in conjunction with Al Qaeda.”
Lawyers for the Saudi executive brushed apart this conclusion as preposterous.
However the video’s timing is great. In step with the 9/11 commission document, Osama bin Laden and other al-Qaida leaders started discussing their “planes operation” within the spring of 1999. Even though they disagreed on which U.S. landmarks to strike, the document states, “all of them wished to hit the Capitol.”
The 2 Saudi clerics who joined Bayoumi on the outing, Adel al-Sadhan and Mutaeb al-Sudairy, had been so-called propagators — emissaries of the Islamic Affairs ministry despatched to proselytize in a international country. U.S. investigators later linked them to a handful of Islamist militants.
One other web page from the plaintiffs’ demonstrate reveals two Saudi non secular officers, Mutaeb al-Sudairy and Adel al-Sadhan, at some level of a outing within the Washington, D.C., condominium with Bayoumi early within the summer of 1999.
Credit:
Bought by ProPublica from the U.S. District Court docket of the Southern District of Recent York
Most notably, Sudairy, whom Bayoumi describes as the emir, or chief, of the Washington outing, spent loads of months residing in Columbia, Missouri, with Ziyad Khaleel, a Palestinian-American al-Qaida member who delivered a satellite tv for computer mobile phone to bin Laden in Afghanistan in 1998. The Qaida chief previous the mobile phone to coordinate the lethal bombings of U.S. embassies in Kenya and Tanzania, FBI officers indulge in said.
Sudairy and Sadhan, who had diplomatic fetch 22 situation, had beforehand visited California, working with Bayoumi and staying at a tiny San Diego guesthouse where the hijackers later lived. Many unique crucial points of their travels had been revealed within the British paperwork. The 2 Saudis had beforehand denied even interesting Bayoumi, thought to be one of many faux claims in depositions coordinated by the Saudi executive.
The unique proof also reveals that Sadhan and Sudairy worked with the other key Saudi legit linked to the hijackers, the cleric Fahad al-Thumairy. In step with one FBI supply, it modified into Thumairy, the 32-365 days-extinct imam of a prominent Saudi mosque in Culver City, who received the hijackers after they arrived on Jan. 15, 2000, and arranged for his or her short-timeframe housing and other wants.
Thumairy, a Ministry of Islamic Affairs legit who modified into also assigned to the Saudi consulate, insisted he had no reminiscence of Hazmi and Mihdhar, though the three had been viewed together by loads of FBI informants. Thumairy also denied interesting Bayoumi, no topic mobile phone data that expose no lower than five dozen calls between them. Thumairy’s diplomatic visa modified into withdrawn by the Advise Division in 2003 thanks to his suspected involvement with terrorist job.
In an huge evaluation of mobile phone data produced by the FBI and the British authorities, the plaintiffs also documented what they called patterns of coordination fascinating Bayoumi, Thumairy and other Saudi officers. (Lawyers for the Saudi executive said the calls had been about mundane non secular matters.)
Two weeks prior to the hijackers’ arrival, as an illustration, the tips expose calls among Bayoumi, Thumairy and the Islamic Affairs director on the Saudi Embassy in Washington. Bayoumi and Thumairy also made relatively about a calls spherical that point to a smartly-known Yemeni American cleric, Anwar al-Awlaki, who later emerged as a truly crucial Qaida chief in Yemen.
It has prolonged been identified that Awlaki, who modified into killed by a U.S. drone strike in 2011, had some contact with Hazmi and Mihdhar in San Diego and met two other 9/11 hijackers after transferring to a mosque in Falls Church, Virginia. But many FBI investigators believed he modified into radicalized smartly after 9/11 and wouldn’t indulge in identified the hijackers’ plans.
Recent proof filed within the courtroom case points to a extra critical relationship. Awlaki looks to indulge in met Hazmi and Mihdhar as soon as they arrived in San Diego. He joined Bayoumi in helping them rent an condominium and placement up bank accounts, and he modified into viewed by others to indulge in served as a relied on non secular consultant.
Awlaki’s worldview “matched relatively carefully to al-Qaida’s on the time,” said Alexander Meleagrou-Hitchens, a biographer of Awlaki who served as an skilled for the plaintiffs. “The unique knowledge now changing into public, on top of what we already learn about his teachings and associations, makes it cheap to total that Awlaki knew the hijackers had been piece of the al-Qaeda community.”
What is cyber security in the hospitality industry?
Cybersecurity in the hospitality industry is the software and processes that safeguard the vast array of sensitive data that hotels and resorts collect from their guests.
For hoteliers, this means not only protecting customer information, like credit card details and personal preferences, but also ensuring the security of internal systems against cyber threats such as data breaches or ransomware attacks. Recognising and investing in cybersecurity measures is not just about risk management; it’s about upholding your establishment’s reputation and providing a safe, seamless experience for every guest.
In this blog, we’ll tell you everything you need to know about hotel cyber security, including what they are, the various ways you could be hacked, the consequences, and how to protect yourself.
Table of contents
1. What is cyber security in the hospitality industry?
2. What is a hotel data security breach?
3. Why hotel cyber security is important
4. Common cyber security threats in the tourism and hospitality industry
5. Examples of hotel security breach
6. Review of cyber security issues in hospitality industry
7. PCI compliance in the hospitality industry
8. Hospitality cyber security compliance: GDPR for hotels
13. How can cyber security threats in the hospitality industry be avoided
14. How SiteMinder helps with cyber security for the hotel industry
What is a hotel data security breach?
A data breach is the release, intentional or unintentional, of private or confidential information to an untrusted environment. In other words, when data is viewed or transferred by someone not authorised to do so, this is a breach.
Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Most data breaches involve files, documents, and other sensitive information.
Data breaches are a concerning and damaging threat to all kinds of industries and businesses worldwide. Hotels are especially vulnerable because they deal with a large amount of personal information from guests and customers. Hackers can take all types of sensitive information from hotels – anything from email addresses to home addresses and credit card data.
The fines for such breaches are steep, but they’re not the only things your hotel should worry about. A security breach can significantly tarnish your company’s reputation in a very public way and many travellers say they will be less likely to book again with a company that lost their data through a security breach.
Why hotel cyber security is important
In this digital era, the hospitality industry must hurdle a critical challenge: safeguarding the extensive sensitive information generated by day-to-day online dealings and digital interactions. For hotel brands, the imperative to shield their own and their customers’ data has escalated to unprecedented levels.
The recent surge in online business and internet transactions has not just been a boon but a call for heightened vigilance. Hotel brands are now more than ever, under the obligation to ensure the security of their own and their customers’ data. Today’s cyber-criminals are devising newer, more sophisticated methods to infiltrate and extract sensitive customer information from hotel websites, internal systems, servers, and even mobile platforms – your front desk is not exempt from these threats.
So, what could be the fallout of a security breach in your hotel’s systems or those of your partners? The aftermath is often grim: thorough investigations, severe damage to your brand’s reputation, a significant erosion of consumer trust, and these are just the immediate repercussions. The financial implications are no less daunting, often involving thousands of dollars in penalties and fines.
To outpace these relentless hackers, hoteliers must intensify their focus on how they collect, store, and safeguard customer data, and how they manage their systems. Installing firewalls or updating antivirus software is a start, but it isn’t the end. Cybersecurity in your hotel is about cultivating a culture of cybersecurity awareness throughout the organisation, from the executive suite to the front desk. Your hotel’s reputation, customer trust, and financial health depend on this vigilance.
— Source: SiteMinder
Common cyber security threats in the tourism and hospitality industry
Here are three of the most common forms of online security breaches that may occur – along with some tips to avoid a hotel data breach where you are…
1. Hotel malware
Malware is any piece of software that was written with the intent of doing harm to data, devices or to people. Malware is perhaps the most common and most dangerous online security threat thanks to its diversity.
Officially standing for malicious software, malware incorporates many different types of potential dangers to hotel technology such as reservations systems.
These include:
Viruses
Just like a virus you might contract, a computer virus will infect files on your system and then spread uncontrollably, eventually crippling the machine if left unchecked.
Trojans
Trojans are chameleons, disguising themselves as all types of legitimate software or hiding with legitimate software that’s been tampered with. Once installed, they will then attack the system.
Spyware
Somewhat obviously, spyware is designed to linger undetected in the background of your system and take note of what you do online. It will look for passwords, payment card data such as credit card information, names and addresses, and other private details.
Worms
These have the ability to infect a whole network of connected devices, and then use all of them to infect more, either locally or across the Internet.
Ransomware
Again self-explanatory, this malware essentially locks your computer and threatens to destroy everything unless you pay a ransom to the owner. (Talk about dramatic.)
Adware
This is not the most hostile of the group, often it will simply serve you annoying ads or pop-ups, but it can also open a way for other malware to get in.
The problem is that all of these types of malware require slightly different methods of removal and protection if a breach does take place at affected hotels. It’s always good practice to avoid engaging with suspicious emails and clicking insecure links, but the only way to be completely safe is to ensure you have anti-malware and antivirus software installed on all the devices you conduct your business with.
2. Spam
Spam has its origins way back in 1970 thanks to a Monty Python sketch and is the sending of an unsolicited message, mostly advertising via email.
The term can also apply to other media such as instant messaging spam, search engine spam, spam in blogs, wiki spam, online ads spam, text message spam, Internet forum spam, junk fax transmissions, social spam, spam mobile apps, television advertising and file sharing spam.
It’s all very unwelcome usually and in some cases carries more dangerous malware with it.
However, there are plenty of ways to ensure you’re not bothered by spam at your hotel. Here are some tips:
Avoid opening emails that look like scams or spam
Never give in to spammers by purchasing something or accepting an offer
Don’t bother replying. Simply delete and/or block
Don’t be tricked into clicking. Even if a link is labelled ‘unsubscribe’ it will just confirm the email address is active and encourage more spam
Use a disposable email address for purposes that may attract spam such as online purchasing
In fact, be very wary where you put your main email address and who you give it to
Try to use web contact forms instead of actually posting your email address on your website publicly
When communicating your email address, present it in a way a person will understand but a spambot won’t. For example, test at test.com instead of [email protected]
3. DoS attacks
A denial-of-service (DoS) attack occurs when a hacker or virus shuts down a machine or network and prevents it being accessed by its intended users. This is usually done by flooding the system with an unprecedented amount of traffic or by sending information that triggers a crash.
The victims of DoS are usually high-profile organisations who people have a slight against.
A few different methods of DoS attacks exist. They include:
Buffer overflow attacks sending more traffic to a network address than the programmers have built the system to handle
ICMP floods that leverage misconfigured network devices by sending spoofed packets that ping every computer on the targeted network
SYN floods that send a request to connect to a server, but never complete it. This continues until all open ports are saturated with requests
DoS attacks are very hard to predict or prevent. Usually solutions depend on countermeasures once the attack has been noticed.
Examples of hotel security breach
Some of the world’s largest companies have fallen prey to data breaches, costing millions of dollars in damages. In 2013 Yahoo was attacked and three billion user accounts were compromised. In the same year eBay had almost 150 million customer accounts accessed illegally.
Hotels and bed and breakfast properties have also been key targets of data breaches for many years – and there is one main reason for this: credit card payments. The security breach happens online, because that’s where your guests are making their bookings, or where your front desk staff are making bookings on their behalf. Unfortunately, going ‘off the grid’ isn’t a feasible solution to the issue – the online space is too big to ignore and credit card usage continues to grow.
And while not a strict data breach, Booking.com paid about 10,000 customers who fell victim to a scheme which conned customers out of data.
Marriott hotel security breach
In 2018 Marriott announced that hackers had attempted to access its Starwood Hotels & Resorts Worldwide guest reservation database. Further investigation revealed unauthorised access to the system as far back as 2014, two years before Marriott acquired Starwood.
A valuable lesson here is that businesses should always scrutinise the cybersecurity and data handling of other companies before they enter into any type of deal. Even though the hack happened before the acquisition, it’s still Marriott’s reputation that is compromised. The same principle should be applied when a company acquires new infrastructure, applications, and systems. While these seem like assets, they should also be treated as potential liabilities.
Estimations said up to 500 million guests, including 327 million guests whose data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences, may have had their information at risk in the period between 2014 and 2018. Marriott also confirmed some compromised guest data includes payment card numbers and expiration dates.
IHG hotel security breach
Front desk cash registers at more than 1,200 hotels in the InterContinental Hotels Group, which includes the Holiday Inn and Crowne Plaza brands, were infected with malware that stole customer debit and credit card data between September 29, 2016 and December 29, 2016. The company has a network of more than 5,000 hotels in over 100 countries so that could mean more than one-fifth of its hotels were affected.
The malware stole information read from the magnetic stripe of a payment card as it travelled through the affected hotel’s server. That information could have included the cardholder’s name in addition to card number, expiration date, and internal verification code.
Hilton hotel security breach
In 2017 BBC News reported Hilton was fined $700,000 for mishandling data breaches in 2014 and 2015.
The company discovered the first breach in February 2015 and the second in July 2015, but first went public with the breaches in November 2015. US federal investigators said Hilton had taken too long to warn customers and lacked adequate security measures.
Wyndham hotel security breach
Wyndham Worldwide were involved in a lawsuit after failing to properly safeguard customer information, in a case arising from three data breaches affecting more than 619,000 customers.
The Federal Trade Commission wanted to hold Wyndham accountable for breaches in which hackers broke into its computer system and stole credit card and other details from customers, leading to over $10.6 million in fraudulent charges.
Under the order, Wyndham established a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates.
Expedia security breach
Expedia subsidiary Orbitz disclosed that about 880,000 payment cards had been impacted by a security breach that potentially exposed customers’ information to hackers.
The travel booking site said an investigation determined that an attacker may have accessed personal information of people who made purchases between January 1 2016 and December 22 2017.
The personal information potentially exposed includes credit card information, addresses and phone numbers of customers. The information attackers “likely accessed” included people’s names, dates of birth, email addresses, street addresses, and genders, Orbitz said.
Review of cyber security issues in hospitality industry
In the hospitality industry, adhering to the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) is essential for safeguarding sensitive customer data.
PCI DSS, enforced by major credit card companies, mandates secure processing, storage, and transmission of credit card information, affecting every credit card transaction in hotels.
GDPR, implemented in the EU, emphasises the protection of personal data and impacts hotel marketing strategies, especially concerning guest databases and email campaigns.
HTTPS website security is crucial for building guest trust and securing online transactions.
Hoteliers must take proactive steps, including appointing a compliance champion, educating staff, controlling data access, and collaborating with PCI-compliant vendors, to adhere to these standards and protect against data breaches and hefty fines.
PCI compliance in the hospitality industry
The PCI Compliance Guide defines PCI DSS (Payment Card Industry Data Security Standard) as a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
PCI DSS has changed the way the travel industry approaches safety standards relating to how credit card payments are handled and processed. The standard is enforced by major credit card companies – including Visa, MasterCard, American Express, Discover and JCB – as part of their merchant agreements.
Designed to help prevent payment card fraud, the standard applies to any business involved in the processing, storing or transmitting of cardholder data, regardless of the transaction volume or dollar value involved. Should a guest use their credit card to pay for something at a hotel, for example – be it a room reservation, spa treatment or coffee – PCI DSS applies to that purchase.
PCI DSS compliance is not a ‘nice-to-have’, but an absolute necessity. A security breach not only damages your reputation, but it could potentially wreak havoc on the lives of your guests, and cost you a significant amount in the way of data breach fees.
Hotel PCI DSS requirements
Here’s your quick start list on PCI DSS compliance for hotels:
Name an owner or champion of PCI DSS compliance within your organisation: This person within your hotel can work with the various departments to ensure PCI DSS compliance is understood and act as ‘go to’ person if staff have questions.
Be proactive: Teach staff why data security is important and the impact any breach may have. Show them how they can be proactive in managing security every day.
Protect physical data: Control access to the back office and anywhere receipts are filed. Provide secure disposal bins or a shredder for disposal sensitive paperwork.
Proactively manage access to systems: Restrict access to payment or personal data to only staff who require this information to do their job. Use individual logins and access codes to systems.
Check your vendor’s approach to data security: Clarify the role vendors play in terms of compliance with data-related standards, and seek PCI DSS compliant partners.
Secure online booking data: While you may need a paper copy of a reservation, do not print credit card details of customers from your online systems. Select an online booking engine that is fully PCI DSS compliant.
To help businesses determine their level of PCI DSS compliance, the PCI Security Standards Council provides various Self-Assessment Questionnaires (SAQs) online, as well as professional training for firms and individuals.
The cost of becoming PCI DSS compliant depends on a number of factors, including the size of your business, existing IT infrastructure among other factors.
To achieve PCI DSS compliance, follow these steps:
Speak with your acquiring bank(s) to determine the correct SAQ for your business (e.g. Visa, MasterCard, AMEX)
Complete the appropriate SAQ for your business
Submit the SAQ, evidence of a passing scan (if required), the Attestation of Compliance and any other requested documentation to your acquiring bank(s).
Hospitality cyber security compliance: GDPR for hotels
It was implemented to strengthen and unify data protection in the European Union (EU) and could directly affect your hotel.
The GDPR gives more control to residents over their personally identifiable information and aims to simplify the regulatory environment for international business.
Hotels need to ensure they review their connections to third party data processors (such as technology vendors), their own security policies, and if they have the necessary qualified staff on hand to cope with the new laws.
The GDPR dictates that all of these must be reviewed and it’s likely that data agreements will have to be renegotiated to remain compliant.
As is widely reported, serious penalties may apply to companies who aren’t compliant. At worst, a fine of €20 million may be issued, or 4% of the company’s worldwide annual revenue of the prior financial year – whichever is bigger.
What hotels need to know about GDPR
For hotel marketers the new GDPR rules could be especially impactful on their guest databases – particularly in regards to running email campaigns and sending prospective guests promotional offers enticing them to book a room.
Under the GDPR, your prospective guests must explicitly opt-in to having their details stored and they should understand what they are being used for. If you’re looking to send email campaigns with offers to people who haven’t stayed at your hotel previously, these people must have consented willingly to being communicated with.
One example is enquiry forms with a checkbox to receive a newsletter with your hotel’s offers should not be ticked by default, assuming that unless the user selects this they do not wish to opt in to your promotional email messages.
What can your hotel do to keep your guest database intact?
Hotels must have regained consent from prospective guests they’re currently sending promotional emails to – and it will need to be clearly explained what content they will receive and how their data will be used.
One way to do this, is for hotels to run a campaign seeking permission to email prospective guests and ask them to opt-in to promotional communications.
This can actually be a positive way to cleanse databases of disengaged contacts and increase your future email conversion rates.
Here’s what you should include in the initial email of these permission pass campaigns:
Why you are emailing the contact
A valuable reason for them to opt-in
What they will continue to receive if they do opt-in
A link to re-subscribe
An option to unsubscribe and have their data removed
A sign-off from a real person such as your general manager
You should always A/B test your email, trying different variations to see what will garner the most success.
And a last chance follow-up email should be sent, reiterating what was stated in your initial communication, to the people who did not respond. They’ll need a reminder.
You will also need to review and update your privacy statement to comply with GDPR requirements. Is the content in your privacy statement difficult to read? Or are you purposefully using terminology so that potential guests are not clear about what they’re signing up for? If so, rewrite it and make it clearer.
Privacy policy templates are readily available for free online if your hotel website doesn’t have one already. If you think it needs rewriting to comply with the GDPR, SEQ Legal provides a free template privacy policy, subject to certain conditions. You can read more on that template here.
HTTPS website data security for hotels
Creating a safe hotel website experience should be treated as a duty of care for your guests; can you imagine the consequences of a traveller being defrauded via your website? There’s also the very real danger of travellers abandoning or not even landing on your homepage in the first place.
The majority of websites use SSL encryption to protect any data that’s transmitted between a website and a shopper.
The SSL encryption requires a secure form of communication between a website and the consumer, known as HTTPS – where the ‘s’ stands for secure. This is indicated to the user in the URL which displays ‘https’ in place of the standard ‘http’.
It also shows the padlock symbol on the left-hand side of the URL bar which reassures people their data is secure when entering bank details or viewing their account online. It looks like this…
— Source: SiteMinder
What does it mean for your hotel’s website? Basically, Google shows a huge bias towards websites that are HTTPS secure. In fact, if your website isn’t secure, Chrome will actively warn users it isn’t safe and could even restrict access to your website pages.
The reality is at some point you will probably collect data from visitors, even if it’s just an email address. It’s also been proven that HTTPS sites will load faster than HTTP, another factor influencing user experience.
Surveys say 84% of users would abandon a purchase if data was sent over an insecure connection, and a large majority are concerned about their data being intercepted or misused online. So, if you’re a hotelier that wants to convert direct bookings and maintain a high ranking on Google’s search results, it’s vital you’re HTTPS secure.
In the psychology of a prospective guest, seeing that little green padlock will give them peace of mind and an immediate sense of trust in your hotel business.
— Source: SiteMinder
How to make a website HTTPS secure
The steps to follow when migrating your website to be HTTPS secure include:
1. Host your website with a dedicated IP address
With a dedicated IP, you ensure that the traffic going to that IP address is only going to your website and no one else’s.
2. Buy an SSL certificate
An SSL certificate will prove your website is your website. When people visit your site via HTTPS that password is checked, and if it matches, it automatically verifies that your website is who you say it is.
3. Activate the certificate
Your web host may do this step for you – check with them before proceeding. This can get complicated and if you can wait 1-2 days it may be best to let them do it.
4. Install the certificate
When installing an SSL certificate on a hotel website, the approach will largely depend on your hosting environment and server software, which is particularly vital for ensuring guest data security and trust in your online booking systems. Here’s how you might proceed in different scenarios:
Installation on shared hosting: If your hotel website is on shared hosting (a common option for smaller hotels), log in to your hosting control panel (like cPanel). Find the SSL/TLS section and follow the steps to upload your new SSL certificate.
Installation on dedicated/VPS hosting: For larger hotels with dedicated servers, you’ll need to access your server through SSH (a secure network protocol). Upload the SSL certificate files to your server and configure your web server (like Apache or Nginx) to use these files. This might require some technical know-how or assistance from your IT team.
For managed or cloud-based hosting: If your website is on a cloud platform (like AWS) or managed hosting, you’ll typically use their interface to upload and activate your SSL certificate.
5. Update your site to use HTTPS
At this point if you go to https://yoursite.com you should see it load! Congrats, you’ve successfully installed SSL and enabled the HTTPS protocol. Keep in mind that you only need to protect a few pages, such as your login or checkout.
If you enable HTTPS on pages where the user isn’t submitting sensitive data, it’s just wasting encryption processing and slowing down the experience
One of the easiest ways to ensure your website is secure, along with many other benefits, is to invest in a professional website builder tool. These solutions will automatically come with secure encryption and will also help you maintain a functional, SEO-friendly, and charming hotel website.
The beauty of using a customisable website builder is that you’ll have your brand new website within days and it will automatically keep up with Google’s updates as time goes by.
The rise of the hotel credit card breach
Statistics show that 74% of travellers from the US alone make use of credit cards while travelling – citing convenience, theft protection, and easier tracking of purchases as the top reasons.
According to data from payment systems industry information provider Nilson, credit card use in the US jumped 42% from 2012 to 2018, accounting for US $120 billion in transactions.
Unfortunately, these transactions are vulnerable to cyber-criminals who specifically target travellers with disposable incomes. Indeed, hotels are an active hotspot for credit card fraud; according to a study by Trustwave’s SpiderLabs, of 218 data breach investigations from 24 countries, 38% of the attacks occurred on hotels and, of the data stolen, 98% was credit card information.
How hotels can avoid credit card fraud
With so much travel now being booked online – and through a variety of channels – the opportunity for hotels to increase sales is getting bigger all the time. However, it also creates challenges in making sure customer payment data is protected and that no breach occurs at the hands of hackers or fraudsters.
The vast majority of security compromises (91%) occur at point-of-sale systems and are most often Card Not Present (CNP) fraud.
Because CNP transactions are so prevalent in the travel industry and much information is exchanged between hotel and customer, it’s important to know when you might be at risk and how to prevent any data breaches from happening. Since guests expect a hotel to be a safe place to escape to, even a single instance of failing to protect a customer’s data could have huge ramifications on your reputation and finances.
Here’s what to look out for:
1. Hurried purchases
It’s common for fraudsters to contact you in a panic, wanting to rush to set up their accommodation.
It’s important you don’t get flustered. Take the adequate time to verify their credit card, passport details, and other relevant documents to make sure they’re genuinely are who they say they are.
Take the adequate time to verify credit cards, passport details, and other relevant documents to make sure people genuinely are who they say they are.
2. First-time guests
It makes sense to be more cautious of people who haven’t booked with you before. With regular customers you can build a relationship and learn their purchase habits.
Be aware of a first-time customer who contacts you online to make a large purchase. Collect all the necessary verification information. For greater security, adopt a payment solution that is designed to capture transaction data in an intelligent manner.
3. Purchaser location
These days many fraudsters have become adept at hiding their true location and stopping themselves being tracked.
If you do have suspicions about a customer, do everything you can to verify their legitimacy, including calling and emailing them to collect data and confirm their identity.
4. Inconsistent addresses
One of the biggest warnings that everything is not what it seems is when someone wants to use different addresses for billing and shipping, which may not apply as strongly to hotels but is very relevant for the travel industry in general.
Given 15 million online hotel reservations are made on bogus third-party sites every year, travellers and guests are on high alert about being scammed.
These rogue websites trick people into thinking they’re reserving directly with their hotel of choice then go on to steal their information and money.
Let’s go through what it is, what it may look like, and how to prevent your hotel falling victim to email scams and phishing.
What is a phishing scam?
As the name suggests, phishing is quite similar to ‘fishing’ although far more malevolent.
Whoever the phisher or hacker is attempts to lure their target into opening a malicious download, clicking on fake links, or entering personal information in order to steal data or identities. The end goal, of course, is to make money at someone else’s expense.
In the case of a business like your hotel, the most common form of phishing would come via email. Likely to be posing as a friend, co-worker, manager, or trusted company the email would make a seemingly reasonable request to open an attachment or verify information but would then infect your computer and capture valuable data.
Example of phishing scam
Often a phishing email will look very similar to a normal email you would expect to receive, which is why people can get caught out. Usually the email subject will be around changing a password, discussing transactions, updating information, important notifications etc.
Consider this example of a phishing email from scammers posing as eBay:
Seems perfectly legitimate at first glance but it’s hiding some concerning secrets.
Here are some clues that may indicate this is a phishing email:
It’s simply addressed to ‘sir’, rather than anyone in particular
The threat of account suspension – if eBay truly believed the account was being used for fraud they would suspend it immediately
Spelling and grammar errors – note ‘advise’ is misspelled as ‘advice’. Phishing emails commonly contain errors like this
The link reveals itself to be a fake website if you hover over it, instead of clicking it
You should also carefully check the incoming email address. Sometimes it’s complete nonsense, but often it will closely mimic the real address it’s passing itself off as.
Looking for these clues will help your hotel to avoid being caught by these online scams.
How to prevent email phishing attacks at your hotel
It’s particularly important you keep your data safe as a security compromise could also endanger the information of your guests, which could do catastrophic damage to your hotel’s reputation and brand image.
There’s a whole range of actions you can take to reduce the amount of phishing emails you receive, and also how to make sure you delete them immediately if they make it to your inbox.
Here’s a list of preventative measures for any email you suspect might be fake:
Ensure anti-spyware, anti-virus, and anti-malware tools are installed and up-to-date on your systems
Make sure all your applications are regularly updated
Check the spelling and grammar of emails you receive
Test links and attachments before opening them
Pay close attention to email addresses and the specificity of email content – authentic emails will include your name, account information/numbers etc.
Be wary of fake login screens trying to capture information – the website URL will not be legitimate
Run an education session for all hotel employees, since less informed staff members may take the bait
Once you know how to spot general phishing emails you should be relatively safe from harm.
There are more complex attacks, known as ‘spear phishing’, which target high profile figures (whales) such as celebrities, but these should affect your hotel far less.
How can cyber security threats in the hospitality industry be avoided
No hotel is too big or small to be a target. In fact, smaller independent properties may be even more vulnerable to attack, and less able to bounce back from the loss of reputation and damages paid.
It’s not enough to have an SSL certificate on your website, or rely solely on third-party payment services such as Paypal or Google Checkout to handle your guests’ credit card security. Each program you use must be securely locked down.
After all, sensitive data can be intercepted at any point in your guests’ booking process. For example, if your online booking system vendor is not PCI DSS compliant, a wayward employee could easily decide to steal credit card data. This is why the standard was invented.
Furthermore, allowing your guests to pay securely helps to stop abandoned website bookings. Worldpay reports that nearly one in five online shoppers have dropped out of online travel bookings because of security concerns around payment.
If you are not actively protecting your guests credit card data, you are putting your business and customers at serious risk.
1. Keep your devices and systems up-to-date
One of the biggest risks to security is allowing your devices and systems to go too long without updates and software patches intended to improve and keep them safe. This makes them much more vulnerable to attack from hackers.
2. Regularly backup your data
The updates issued by your software providers are designed to protect you so it’s important to set your computers to automatically accept and install them periodically.
To eliminate the risk of losing data or having it irretrievably damaged, it’s essential to make a habit of backing it up. This will include financial records, business plans, customer data, personal information etc. Backing up your data is generally easy and cost-effective, meaning there’s no excuse not to do it.
Here’s a recommended strategy:
Daily backups to a portable device and/or cloud storage service
Weekly server backups
Quarterly server backups
Yearly server backups
3. Protect against malware and viruses
Often emails, pop-ups, fake accounts and profiles, and actual hackers will try to infect your computer and other devices with software designed to cripple your business or steal from you. Regularly check your bank and billing records to make sure this isn’t happening.
It’s important to install antivirus and anti-spyware and always update when prompted. Additionally you should keep track of all the equipment used by your business and who uses it.
Educate all your employees on the risks and best practices, and never allow them to take sensitive material home with them, or use personal devices for work purposes.
4. Prioritise password security
Some easy-to-remember tips here include frequently updating your passwords, never use the same password for everything, and use unique passwords.
Once a hacker has used one password, every account you own could be under attack if you’ve always used the same one. The same goes if you’re using weak passwords that are easily guessed. The best idea is to change your passwords every few months.
Do not reuse passwords on different business-related accounts. Ideally, use a different, complex password for each online account you have where you have sensitive customer or financial data processed.
5. Know when to trust your software provider
It’s vital that you don’t take every correspondence with your hotel technology providers at face value. Phishing emails are very good at seeming legitimate when in fact they’re fake emails trying to steal information.
So if your provider sends an email they have never sent before, there could be a good reason not to trust it.
6. Use different emails
Try not to use an email address listed on your site as your online system login or username. That potentially makes it easier for a hacker to identify you as their target.
Don’t use email accounts shared between employees, for example [email protected], to log in to any online platforms and solutions. If an employee is accidentally careless online with the shared password, it can make you that much easier to hack.
How SiteMinder helps with cyber security for the hotel industry
Data and security breaches in the hotel industry are incredibly serious and have been too common for comfort in recent years. Whether it’s been major brands like Marriott and Hilton, or software providers such as Prestige, large amounts of information and data has been exposed, resulting in the risk of it being stolen or exploited.
Being the industry’s leading tech provider, SiteMinder places extreme focus on the security and stability of its platform, ensuring the data of its hotel customers and the hotel’s guests is safe at all times.
Here are 10 measures SiteMinder makes so your hospitality business can feel assured.
SiteMinder has full Payment Card Industry Data Security Standards (PCI DSS) compliance, minimising payment card fraud and hacking.
SiteMinder is completely General Data Protection Regulation (GDPR) compliant, to ensure the safety of data belonging to EU residents.
SiteMinder has implemented over 350+ security controls to maintain our certifications and we continue to improve in other key areas across our corporate systems.
SiteMinder products are hosted on Amazon Web Services (AWS). The AWS environment maintains multiple security certifications, including ISO 27001, PCI DSS and SOC.
SiteMinder engages respected external security firms to perform regular audits of the products to verify that our security practices are sound and to monitor for new vulnerabilities.
All SiteMinder staff undertake privacy and security training.
SiteMinder employs stringent security to physical premises and access to physical premises is restricted.
All SiteMinder computer hardware is password protected, with encryption and default security firewalls in place to ensure data is always secure.
SiteMinder has detailed protocols in place to monitor and respond to any data breaches which happen on our systems as soon as practicable after they arise.
SiteMinder’s capabilities are measured against the NIST Cybersecurity Framework.
Improve cyber security measures in your hotel and optimise your time with SiteMinder
Elevate your hotel’s cyber security and streamline your operations effortlessly with SiteMinder, a leading-edge hotel management software dedicated to safeguarding guest data and enhancing operational efficiency.
Here’s how we can help boost your revenue and keep your customer data safe
Enhanced data security: SiteMinder’s robust security protocols ensure the utmost protection of your guests’ personal and payment information. With industry-leading encryption and continuous security updates, our platform guards against data breaches, providing peace of mind for both hoteliers and guests.
Streamlined operations: Streamline your hotel’s operational processes with SiteMinder’s intuitive interface. Our platform simplifies booking management, room allocation, and rate adjustments, allowing you to focus more on guest experience and less on administrative tasks.
Increased revenue opportunities: Unlock new revenue streams with SiteMinder’s powerful analytics and market insights. Understand guest preferences and booking trends to tailor your offerings, optimise pricing strategies, and maximise occupancy rates.
SiteMinder Limited (ASX:SDR) is the name behind SiteMinder, the only software platform that unlocks the full revenue potential of hotels, and Little Hotelier, an all-in-one hotel management software that makes the lives of small accommodation providers easier. The global company is headquartered in Sydney with offices in Bangalore, Bangkok, Barcelona, Berlin, Dallas, Galway, London and Manila. Through its technology and the largest partner ecosystem in the global hotel industry, SiteMinder generates more than 115 million reservations worth over US$45 billion in revenue for its hotel customers each year. For more information, visit siteminder.com.
